How I can see criticality level of subscription in Azure sentinel

Nishit 60

Generally, we can configure criticality level of subscription in Azure portal so how we can see such information in Azure sentinel logs.

Clive Watson 6,521 Reputation points MVP

2024-11-04T09:11:44.3066667+00:00

Hello, I'm not sure I understand the question, do you have screen shots of what you are configuring, to help us know what you are doing?
Givary-MSFT 33,081 Reputation points Microsoft Employee

2024-11-04T10:08:18.2+00:00

@94554605 Thank you for reaching out to us, As Clive mentioned please help us with the screenshots for better understanding of the issue so that we can assist you better.

Also, you mentioned "configure criticality level of subscription" are you referring to these settings - https://learn.microsoft.com/en-us/security-exposure-management/classify-critical-assets which you want to fetch from Sentinel ?
Nishit 60 Reputation points

2024-11-04T11:57:23.17+00:00

Sorry my bad. Let me explain bit further.

So if we applied any tag to any resource like subscription or VM then how we can see that tag value into azure sentinel log.
Basically we want to utilise that information as metadata for analysts when alert/incident trigger.
Attaching snapshot for the reference.
Givary-MSFT 33,081 Reputation points Microsoft Employee

2024-11-05T06:07:37.2733333+00:00

@94554605 I have converted the Clive comments as answer, feel free to accept it.

Accepted answer

Clive Watson 6,521 Reputation points MVP

2024-11-04T14:08:46.3833333+00:00
That wont work, at least not in the way you want, Tags are stored in the Azure resource Graph (ARG), so you can check them in ARG (also using KQL). You might get lucky and find a change / add of a tag in the AzureActivity log, but if say the resource was created 2years ago, you cant do that in your Alert Rule given the 14day look back.
ARG doesnt have this restriction, and you can see all resources.

I'd put in a task into Sentinel, where the analysts goes to ARG to look these up (or maybe consider a Playbook to do this) https://portal.azure.com/#view/HubsExtension/ArgQueryBlade

resources | where type == "microsoft.compute/virtualmachines" | project name, tags
Please sign in to rate this answer.

2 people found this answer helpful.
Andrew Blumhardt 9,861 Reputation points Microsoft Employee

2024-11-04T18:01:11.0566667+00:00

Agree. You may not find resource tags in many of the Azure related tables like Azure Activity. You cannot query the resource graph from a Sentinel analytic rules but you can from a playbook or workbook. You might consider a watchlist in Sentinel to duplicate your priority subscription list. All of your resource logs should reflect the subscription ID. Then you can just use a join on the watchlist for analytic rules. Basically, create a reference that that is more accessible to standard KQL queries.

Nishit 60 Reputation points

2024-11-05T06:02:52.3733333+00:00

Thanks Clive & Andrew.
ARG seems helpful here. Will explore it in terms of playbook.
@Clive Watson Clive Could you post as an answer so I can mark as accepted answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How I can see criticality level of subscription in Azure sentinel

0 additional answers

Your answer